Keyring access requested although non-publishing operations do not need any credentials. #8761
Comments
real-yfprojects
added
kind/bug
|
close enough to duplicating #8623 that I doubt it's useful to track separately. pull requests welcome, I assume |
I think I'm fine with this. Afaik, the other issue describes a specific regression and this issue is more general. So the other issue might be resolved without resolving this one. I'm not that deep into this keyring topic, but I suppose #7038 (comment) might be a reason why we are trying to use keyring even if it's not necessary:
I don't feel able to judge if we should stick to it or not. |
|
Just ran into this issue again: I did mkdir new-project
cd my-project poetry init
poetry add <some dependency>Unfortunately, this time I had forgotten to set
However, in my case, the prompt also prevented me (an i3 user) from switching to any other window or workspace. As a result, I had to switch to another TTY and
In light of the above, I would vote for not sticking to this or at least making this behavior transparent to the user somehow before they invoke |
|
This access attempt is prohibitive as I've just discovered poetry: I use GNOME, but not the keyring functionality, and on an interactive This is confusing and unexpected behavior. |
|
This issue persists with version 1.8.3. As others stated above, the (seemingly) infinite loop of keyring password requests effectively locks up the GUI; it's not even possible to switch to a character VT. ssh from another machine is needed for a It wouldn't be nearly as bad if we could at least specify a non-default collection on the keyring. The |
Python-poetry is affected by bug <python-poetry/poetry#8761>. Namely, if you have "keyring" <https://pypi.org/project/keyring/> installed, poetry will try to gain access to the Default collection in the (ex. GNOME) keyring, even if poetry only needs read-only access to package repositories, and even if those repos are public. Consequently, you either unlock your Default collection for poetry (unjustifiedly), or your GUI session gets effectively locked up, because any time you hit Cancel on the keyring unlock dialog, poetry immediately pops up another, and this dialog grabs the keyboard -- you cannot even switch to a character VT, for killing poetry; you have to log in via ssh for that. This issue is not visible to users who don't use "keyring" (GNOME or otherwise). For those who do, work around the problem by selecting the "null" keyring back-end, in the environment of every poetry invocation. Note: I have not regression-tested the workaround in a desktop environment where "keyring" is unavailable to begin with. Signed-off-by: Laszlo Ersek <[email protected]>
Python-poetry is affected by bug <python-poetry/poetry#8761>. Namely, if you have "keyring" <https://pypi.org/project/keyring/> installed, poetry will try to gain access to the Default collection in the (ex. GNOME) keyring, even if poetry only needs read-only access to package repositories, and even if those repos are public. Consequently, you either unlock your Default collection for poetry (unjustifiedly), or your GUI session gets effectively locked up, because any time you hit Cancel on the keyring unlock dialog, poetry immediately pops up another, and this dialog grabs the keyboard -- you cannot even switch to a character VT, for killing poetry; you have to log in via ssh for that. This issue is not visible to users who don't use "keyring" (GNOME or otherwise). For those who do, work around the problem by selecting the "null" keyring back-end, in the environment of every poetry invocation. Note: I have not regression-tested the workaround in a desktop environment where "keyring" is unavailable to begin with. Signed-off-by: Laszlo Ersek <[email protected]>
…from Laszlo Ersek - `docs/Makefile`: work around python-poetry issue python-poetry/poetry#8761 - `docs/README.md`: fix minimum poetry version No backporting needed (docs development). Closes #21118 * github.com:scylladb/scylladb: docs/README.md: fix minimum poetry version docs/Makefile: work around python-poetry issue #8761
-vvvoption) and have included the output below.Issue
In its essence this is the same as #1917 and closely linked to #8623.
Can you summarize the problem?
For any http request made by poetry it will hit the keyring for possible credentials to send along (presumably to support private repositories and registries). However this has the consequents that poetry needs keyring access for almost all operations although most operations do not require any credentials. This is bad. Quoting from #1917 (comment):
Why was #1917 closed?
Very good question. The maintainers apparently thought fixing the symptoms would also fix the underlying problem. See #8078 (comment) and #8227. As a matter of fact the underlying issue now reappears in a different disguise.
What's the new symptom?
#8227 fixed the problem where poetry just exited when the keyring access was denied. In the current version it ignores the denial and sends the http request without credentials.
However for the next http request it will try to access the keyring again. For a command like
poetry add pytestthis will result in uncountable popups requesting keyring access that one has to deny (hit cancel in my case) one after another. This makes poetry unusable without granting keyring access. It is safe to say that #8227 practically didn't fix anything.What would be an actual fix?
I can already imagine the maintainers putting forward fixes for this new problem instead of fixing the underlying issue.
The sane way of fixing this goes like that:
Prioritize the uses cases of the majority. Only a minority of packages need credentials for resolving dependencies. For those users the configuration file format could be adjusted so that they can specify when credentials are required. For all other users poetry shouldn't hit the keyring at all when running
lock,install,add, ... However forpoetry publishcredentials may be requested for all users.The text was updated successfully, but these errors were encountered: